The US Federal Bureau of Investigation (FBI) has sent out a security alert warning that threat actors have stolen source code from the government agencies and private businesses and are abusing misconfigured SonarQube applications to access and steal critical information. The intrusions have been taking place since April 2020.
The security alert explicitly warns owners of the web-based application, SonarQube. The app is installed on web servers and connected to source code hosting systems like GitHub, BitBucket, and Azure DevOps systems. The FBI says some companies have left these systems unprotected, running on their default configuration with default admin credentials.